OpenSSL flaw unlocks the internet's 'crown jewels'

If all of your system adminstrator friends are looking worried today it isn't the usual post Patch Tuesday blues, it's because of a bug in something that you may never have heard of, but which almost certainly affects your everyday use of the web.

OpenSSL is a cryptographic library that is used to secure large chunks of the internet. If you use sites or apps that send and receive encrypted data then it’s very likely they use OpenSSL to do it. It's used by open source web servers like Apache as well as by mail protocols including SMTP, POP and IMAP.

Thanks to a bug uncovered by Google Security that researchers are calling "Heartbleed" it's possible to fool OpenSSL systems into revealing part of the data in their system memories. This might be things like credit card transactions but it’s potentially even more serious than that.

Security specialist Graham Cluley writing on his blog says, "...it could also disclose the secret SSL keys themselves. These are the 'crown jewels', and could be used by malicious hackers to do even more damage, without leaving a trace".

If you want a detailed look at the flaw and how hackers may be able to exploit it, Elastica's CTO Dr Zulfikar Ramzan has posted a detailed walkthrough on his company's website. He stresses that the flaw is not inherent in the SSL/TLS protocol itself but in the specific OpenSSL implementation.

Finnish security specialist Codenomicon has a Heartbleed website with details of the bug and which lists vulnerable versions. It also lists operating systems that have shipped with potentially vulnerable OpenSSL versions, these include major Linux distros like Debian and Ubuntu.

It advises that site admins need to update to OpenSSL 1.0.1g immediately, and regenerate private keys. If an update to the latest version of OpenSSL isn’t possible it advises developers to recompile OpenSSL with the compile time option OPENSSL_NO_HEARTBEATS.

The bug has been in OpenSSL since December 2011 though it was only publicly announced yesterday. Whilst it isn’t known if it’s been exploited in the wild, Heartbleed leaves no trace in the server’s logs so it’s hard to know if a system has been compromised. The official security advisory is available here.